"also supports the use of dm-crypt, although, presumably because of
dm-crypt's emphasis on external drives, its use is not recommended for
dm-crypt works on any block device. It can also work on files via the
The project website Quickstart document contains:
"To this end, we prefer Jari Ruusu's loop-aes multikey encryption scheme over others, like dm-crypt, which are more likely to be susceptible to various sophisticated attacks."
If the sophisticated attacks they are referring to are the watermarking
attacks, then this is a problem that has been solved since 2.6.10
through the use of ESSIV.
Overall, it seems like the project goals are pretty misguided. The
onerous task of having to regenerate a new image to (persistently)
update any software is likely to lead to systems running out of date
software which is then more likely to contain vulnerabilities!
They could meet their goal of having zero interpretable data from
a coldboot attack by just putting a kernel & appropriate initrd image
on a USB drive. This would also avoid the usability nightmare of
losing all data/settings on a system crash or having to mount
another device just to save your data.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds